poiana
commented
9 hours ago [APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: alacuku, ekoops
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
- ~~[OWNERS](https://github.com/falcosecurity/event-generator/blob/declarative-testing/OWNERS)~~ [alacuku]
Approvers can indicate their approval by writing `/approve` in a comment
Approvers can cancel approval by writing `/approve cancel` in a comment
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area pkg
What this PR does / why we need it: This PR adds the capability to specify the user and the linux capabilities a process in the process chain can be run with.
Capabilities can only be specified for the leaf process. Omitting capabilities is equivalent to specify
all=iep.Each process in the chain runs with real user/group ID equals to 0 (root). Specifying a user sets the effective and the saved set-user/group-ID to the corresponding user/group IDs. If a user specified in the chain doesn't exist, it is created before running the test and deleted after test execution.
The securebit
SECBBIT_NOROOTis enabled on the calling thread before creating any child process: this is done in order to prevent the kernel from ignoring the specified capabilities when the real user ID is zero (see 'Capabilities and execution of programs by root' in capabilities(7)).Users who wish to run the before and after script or creating a 'process' test resource must take into account to provide at least
CAP_SETPCAPin its permitted and effective set.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: